Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XML BOM parsing fails if it contains vulnerability with score #2859

Closed
2 tasks done
LapNik opened this issue Jun 28, 2023 · 3 comments · Fixed by #2893
Closed
2 tasks done

XML BOM parsing fails if it contains vulnerability with score #2859

LapNik opened this issue Jun 28, 2023 · 3 comments · Fixed by #2893
Assignees
@nscuro
Labels
defect Something isn't working
Milestone
4.9

Comments

@LapNik
Copy link

LapNik commented Jun 28, 2023
edited
Loading

Current Behavior

When an XML BOM that contains a vulnerability with a score is uploaded to Dependency Track the parsing fails and no components are added to the project.

The following stack was in dependency-track.log:

2023-06-28 08:13:57,262 [] ERROR [alpine.event.framework.LoggableUncaughtExceptionHandler] An unknown error occurred in an asynchronous event or notification thread
java.lang.NoSuchFieldError: USE_FAST_DOUBLE_PARSER
        at com.fasterxml.jackson.databind.deser.std.NumberDeserializers$DoubleDeserializer._parseDouble(NumberDeserializers.java:755)
        at com.fasterxml.jackson.databind.deser.std.NumberDeserializers$DoubleDeserializer.deserialize(NumberDeserializers.java:684)
        at com.fasterxml.jackson.databind.deser.std.NumberDeserializers$DoubleDeserializer.deserialize(NumberDeserializers.java:663)
        at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:314)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359)
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244)
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
        at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:314)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359)
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244)
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
        at com.fasterxml.jackson.dataformat.xml.deser.XmlDeserializationContext.readRootValue(XmlDeserializationContext.java:91)
        at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4706)
        at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2904)
        at com.fasterxml.jackson.core.JsonParser.readValueAs(JsonParser.java:2310)
        at org.cyclonedx.util.VulnerabilityDeserializer.deserialize(VulnerabilityDeserializer.java:45)
        at org.cyclonedx.util.VulnerabilityDeserializer.deserialize(VulnerabilityDeserializer.java:30)
        at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:314)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
        at com.fasterxml.jackson.dataformat.xml.deser.WrapperHandlingDeserializer.deserialize(WrapperHandlingDeserializer.java:122)
        at com.fasterxml.jackson.dataformat.xml.deser.XmlDeserializationContext.readRootValue(XmlDeserializationContext.java:91)
        at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4730)
        at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3738)
        at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:87)
        at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:105)
        at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)

I could not reproduce this with cyclonedx-core-java parser unit tests.

I used the following XML:

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
    <metadata>
        <component type="application" bom-ref="acme">
            <publisher>DependencyTrack</publisher>
            <name>Acme example</name>
            <externalReferences>
                <reference type="build-system">
                    <url>https://acme.example</url>
                </reference>
                <reference type="distribution">
                    <url>https://acme.example</url>
                </reference>
                <reference type="issue-tracker">
                    <url>https://acme.example</url>
                </reference>
                <reference type="vcs">
                    <url>https://acme.example</url>
                </reference>
            </externalReferences>
        </component>
    </metadata>
    <components>
        <component type="application" bom-ref="comp">
            <author>Sometimes this field is long because it is composed of a list of authors......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................</author>
            <publisher>Example Incorporated</publisher>
            <group>com.example</group>
            <name>xmlutil</name>
            <version>1.0.0</version>
            <description>A makebelieve XML utility library</description>
            <hashes>
                <hash alg="MD5">2b67669c925048d1a5c7f124d9ba1d2a</hash>
                <hash alg="SHA-1">72ca79908c814022905e86f8bbecd9b829352139</hash>
                <hash alg="SHA-256">1389877662864d2bb0488b4b1e417ce5647a1687084341178a203b243dfe90e7</hash>
            </hashes>
            <licenses>
                <license>
                    <id>Apache-2.0</id>
                    <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
                </license>
            </licenses>
            <copyright>Copyright Example Inc. All rights reserved.</copyright>
            <cpe>cpe:/a:example:xmlutil:1.0.0</cpe>
            <purl>pkg:maven/com.example/[email protected]?packaging=jar</purl>
            <modified>false</modified>
        </component>
    </components>
    <vulnerabilities>
        <vulnerability bom-ref="comp-vuln">
            <id>BOMVULN-01</id>
            <ratings>
                <rating>
                    <score>10.0</score>
                    <severity>critical</severity>
                    <method>CVSSv3</method>
                </rating>
            </ratings>
            <affects>
                <target>
                    <ref>comp</ref>
                </target>
            </affects>
        </vulnerability>
    </vulnerabilities>
</bom>

The same BOM was imported successfully when converted to JSON using cyclonedx-cli.

Steps to Reproduce

  1. Create an XML BOM file that includes a vulnerability with a rating score.
  2. Create a project in Dependency Track.
  3. Open the project's components and upload the BOM.
  4. Refresh components and check logs.

Expected Behavior

Components from the BOM are imported successfully. Vulnerabilities are ignored.

Dependency-Track Version

4.9.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

Mozilla Firefox

Checklist
@LapNik LapNik added defect Something isn't working in triage labels Jun 28, 2023
@nscuro nscuro removed the in triage label Jun 28, 2023
@nscuro nscuro added this to the 4.9 milestone Jun 28, 2023
@nscuro
Copy link
Member

nscuro commented Jun 28, 2023

Thanks for reporting and providing a sample for reproducing, @LapNik!

Note to self: Caused by a version mismatch of Jackson Databind between cyclonedx-core-java and Dependency-Track. Solution is to get the version aligned.

@nscuro nscuro self-assigned this Jun 28, 2023
nscuro added a commit to nscuro/dependency-track that referenced this issue Jul 17, 2023
@nscuro
Add regression test for DependencyTrack#2859
ccb1056 
As of today, the issue is no longer reproducible. It is however reproducible by downgrading Alpine to `2.2.2`.

Signed-off-by: nscuro <[email protected]>
@nscuro nscuro mentioned this issue Jul 17, 2023
Merged
1 task
@nscuro
Copy link
Member

nscuro commented Jul 17, 2023

I can no longer reproduce this issue, but I added a regression test for it.

It is still reproducible by downgrading Alpine to 2.2.2, but it seems that 2.2.3-SNAPSHOT of Alpine fixed the issue.

nscuro added a commit that referenced this issue Jul 17, 2023
@nscuro
Merge pull request #2893 from nscuro/issue-2859
ce788aa 
Add regression test for #2859
@github-actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@nscuro nscuro

Labels
defect Something isn't working
Projects
None yet
Milestone
4.9
Development

Successfully merging a pull request may close this issue.

Add regression test for #2859 nscuro/dependency-track
2 participants
@nscuro @LapNik